E Hacking News is leading portal for IT Security and Hacker News. Get Cyber Security, hacker and cyber crime updates.

28 October 2018

Exposed Docker Apis Used By Attackers In Creation Of New Containers That Perform Cryptojacking

Earlier this year it was revealed that attackers are now utilizing insecure Docker And Kubernetes systems in order to redistribute containers
that have been used to mine coins. These containers are packages that include an
application and all of the dependencies that are needed to run it. The packages
are then redistributed as containers to Docker or Kubernetes structures
accordingly.

Even Trend Micro lately detected an attacker scanning
explicitly for insecure and exposed Docker Engine APIs and its utilization to
deploy containers that download and execute a coin miner.

Docker containers are redistributed on a rostrum referred to
as the Docker Engine, wherein they may run within the background together with
different containers deployed to the system.

If Docker Engine isn't accurately
safeguarded, attackers can remotely make use of the Docker Engine API to
redistribute the containers in their very own advent and start them at the
insecure system.

Container Creation

When the container is deployed and stimulated, it releases
an auto.sh script that further
downloads a Monero miner and configures it to launch instinctively. The script
even downloads the port scanning software, in an effort to test for the various
vulnerable Docker Engine instances on port 2375 and 2376 and additionally try
to spread to them.

Scan all networks seen
from the host, with a scan rate of 50,000 packets per second, for open port
2375 and 2376; the result is saved in local.txt (anonymized/defanged):

masscan “$@” -p2375,2376
–rate=50000 -oG local.txt;

Conduct lateral
movement by infecting or abusing more hosts found in previous reconnaissance:

With this method, a whole lot of Docker Engine containers
can be gathered that mine coins for the attacker.

Although Docker Engine API abuse isn't new, but it continues
to be a hassle due to the fact that the administrators don't legitimately
secure their systems. To keep attackers from abusing the insecure Docker Engine
implementations, Trend Micro proposes that the administrators make use of the following security measures:

Harden the security posture. The Centre for
Internet Security (CIS) has a reference that can help system administrators and
security teams establish a benchmark to secure their Docker engine.

Enforce the principle of least privilege. For
instance, restrict access to the daemon and encrypt the communication protocols
it uses to connect to the network. Docker has guidelines on how to protect the
daemon socket.

Properly configure how much resources containers
are allowed to use (control groups and namespaces).

Enable Docker’s built-in security features to
help defend against threats. Docker has several guidelines on how to securely
configure Docker-based applications